New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
ChicagoVPS hacked, bunch of VPS customers offline
This discussion has been closed.
Comments
I think that one thing we learned from all of this is that SolusVM and @soluslabs are a bunch of idiots on high horses who we'd better leave alone. Of course, some (including @Francisco) already knew this, but their responses to @CVPS_Chris only emphasize it.
There's this song from the film TED in which you can nicely replace 'thunder' with 'solus'...
Heh?
There is nothing wrong with the API. We have checked the code and it's fine. CVPS have contacted us with a very vague reply that gives no details whatsoever.
I assume this 'software issue'
Until CVPS actually come out and say this is a SolusVM exploit and it is confirmed I think this is highly unfair. SolusLabs have been making rapid improvements to SolusVM lately which I particularly appreciate.
I didn't say anything is wrong with the API, it's more with the product in general and your apparent attitude. The API could be fine.
&&
You haven't learn anything and obviously you didn't read thread at all. What apparent attitude? Are you talking about ChicagoVPS issue at all? Are you talking about same things we all see here or you took oportunity for some generalised random statement without merit?
Someone compared this thread with "HyperVM fiasco" and said something like history repeats itself. Indeed. But not as people with bad memory see it. When Vaserv have been hacked they have been hacked because their owner password was compromised not because HyperVM (which wasn't without issues for sure) fault however in this incident Vaserv used it just as scapegoat and till this date people keep in their mind "HyperVM - something bad" connotation.
And now again, history repeats itself.. with image damage caused to them by ChicagoVPS unresponsible statement people will blame SolusVM next 5 years or so... without any evidence that it was fault at their side at all.
It's just scary to see how much long term damage can cause to some brand one single guy statement with only purpose to saving his own ass with puting blame on others..
At the end of the day we care about our product. If someone attacked your product/company i would like to think you would defend it.
I'm not even going into the Frantech case.. end of.
@soluslabs thank you for keeping us informed.
+1
Maybe try the @Francisco solution here?
http://blog.backblaze.com/2012/10/31/10-spooky-data-loss-stories/
Solus didn't fix non-alphanumeric passwords in years, don't use PDO etc, so it's quite clear to me their product is probably as secure as a used diaper. Still, in this particular case the FUD level is so high, it seems obvious ChicagoVPS is hiding details of this incident on purpose. Wether it's only to cover their asses will be seen later.
@averell what's with the hate on SVM? Their code may be "deprecated" by not using pdo and other such things; but it's survived alot? All exploits are patched within hours; and security notices are thrown out often.
@eastonch, it's not hate. After all, they are market leader in the low-end segment. That doesn't make their product good though. There are just too many issues they were incapable of fixing in any reasonable timeframe. This gives the general impression that the code-quality seems at maybe the high-school project level, otherwise a simple fix would be simple instead of taking years. Also, as can be seen here, they try hard. To get back on track, in this case until proven otherwise I'm assuming they have no fault here.
http://blog.backblaze.com/2012/10/31/10-spooky-data-loss-stories/
That's hilarious but not me :P
Francisco
I'm not just talking about the issue here (ChicagoVPS and SolusLabs contradicting each other), I'm talking about issues in general (some in the past) related to SolusLabs and their communication. What Francisco said only emphasizes it. SolusVM is all over this thread, so it's not that strange to take a turn on that as well. We don't know whether it was ChicagoVPS' fault or SolusVM's fault. I never pointed fingers about the current issue.
I don't blame you for defending your product. I would do the same. However, I do blame you for the apparent lack of care for security in your product. Take a look at some of the things @joepie91 said. Also, some things in your product make me shudder. I'm willing to explain some of these, but this is not the place.
Send them a PM then instead of calling them out on a public forum.
When this first started didn't CVPS state that another provider was also affected? Anyone know who?
Yeah I think @numim, that was the allegation.
Everyone pointed to every known provider they knew to be down.
Nothing was clear about who this mythical provider, the second one was. Maybe it was Colocrossing ? Do they have VPS offers directly?
They are not using PDO, and have a history of several SQLi vulnerabilities as a result. There is no indication that they intend on rewriting the code to use PDO any time soon. They barely respond to feedback on the security front (as evidenced in this thread), and are trying to roll their own security functionality instead of using tested and proven working existing functionality.
That seems like enough to consider their software horribly insecure.
This is a VPS panel we're talking about, not some random forum.
Oh you mean this part? "fetch all users first and then compare"
It needs to be done this way because the API information is two way encrypted in the database. You can't decrypt it unless you pull it first.
And the part about PDO?
mysql_ can still be as safe as using PDO_MYSQL. A PDO prepared statement can still be susceptible to an SQL injection attack. We have had plans for a while now to phase out mysql_ and will continue with these in due course.
Why would you give details on how your security works on a public forum? Like you say it's a vps panel.. it's the last place to post it.
Who said that? None of our data encryption is done using our own in-house functions.
Why are you encrypting API logins?
No, not really. It's quite easy to miss a variable when escaping stuff, even if you've made a habit out of it, as evidenced by your at least two (!) past SQLi vulnerabilities.
You're kidding, right?
Please tell me how this is in any way, shape or form vulnerable.
Will you be rewriting your existing code, and what is the priority on this phasing out?
If you have to hide your security to make it effective, there is something HORRIBLY wrong with your code.
You did, when you told us the API keys were generated with a 'custom function' that used the installation ID.
For security..............
I'm saying it can still be susceptible to an SQL injection attack.
In due course.
How does that add any security? Encryption is effectively pointless when the same machine holding the data, can also decrypt the data without human intervention.
And I just asked you to explain how, and gave you a bog standard example of a prepared query. Why are you not answering that question?
That does not really give any information we didn't already have.
+1 @joepie91
@joepie et al This discussion is about the CVPS hack and unless there is proof that it was due to a flaw in SolusVM then any exchanges about flaws in SolusVM or an inadequate approach to security on their part should be in a separate discussion.
However annoying a laid back approach to security may be on a vendor's part it I think this issue should be discussed in dedicated thread.
PS. I am not related or have an interest in soluslabs in anyway. The nearest I ever get to them is when I need to manage my VPS.
Too right. I'm all for a thread like that. There's a lot of software vendors who don't take security seriously. I'm pleased were not one of them. Maybe it should be on a more reputable forum though. I don't think LET should be the place.
That wasn't really nice.
LOL put it on my forum, no one goes on there anyways XD
Maybe i worded it wrong. I've seen several threads on here where users refer to it as a playground.